DDoS Attacks Via DNS Recursion 192
JehCt writes "Associated Press is running a story about how the recursion feature of open DNS servers can be used to launch massive distributed denial of service (DDoS) attacks: 'First detected late last year, the new attacks direct such massive amounts of spurious data against victim computers that even flagship technology companies could not cope.' A thread at WebmasterWorld explains, 'To make a long story short, having a DNS server that allows recursion for the Internet is like running an open SMTP relay.'"
Could someone explain how the attack works? (Score:2, Interesting)
From what I understand of DNS resolvers, this attack can't work unless there's another compromise at play here. Either a compromise of one of the victim host's zones, or a compromise of the servers hosting the open resolvers themselves.
That's a bold statement (Score:3, Interesting)
Anyone want to discuss how DNS Cache [cr.yp.to] addresses this? AFAIK this is a pretty "safe" way to provide DNS to at least a small sized network - but that's all I run it on. Comments, concerns, advice?
Re:djbdns (Score:3, Interesting)
Re:I love djbdns (Score:3, Interesting)
djbwm - it's the best window manager in the world, but when you try to move a window, it argues with you for ten minutes that it was already in the right place.
Re:djbdns (Score:4, Interesting)
When BIND is fixed I'll implement it (Score:2, Interesting)
Some of us don't like the idea of maintaining more servers than are absolutely required, this looks like a pretty bogus reason to install another set of nameservers.
StormPay: A recent example of this attack (Score:3, Interesting)
As previous posters have noted, these attacks have become more frequent in recent months, prompting an advisory from US-CERT (PDF) [us-cert.gov] in December. It's a hot topic on several security lists, and a special focus of SecuriTeam blogger Gadi Evron [securiteam.com].
Re:When BIND is fixed I'll implement it (Score:3, Interesting)
> turn it off ("additional-from-cache"):
Excellent. The commentary on the aite with the original article didn't seem to know about that trick. So now I just need to make sure I have wrapped my head around all of the details and start making the changes. Going to be a bit of bother this way but managable. Installing another pair of nameservers was right out, this way is doable.
Re:Of course there is... (Score:3, Interesting)
The problem is doing the cache for internal hosts (or an internal interface) and running zone authority for external (internet) users on one server. Apparently it's not possible using the built in configuration tool. There's probably a registry key which determines which interface will forward or not, around here: HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\C
It may be possible to get another instance running on a different interface also..
Until then, you need two hosts in Windows, with one not allowing recursion on the outside or DMZd/NATd and one local cache/forwardder box inside. Thanx MS